全网最深入的比特币生态防钓鱼指南(Taproot 升级最新版)
作者:OneKey 中文,来源:作者推特@OneKeyCN
2021年末,Taproot 升级在第 709,632 个区块生效。那时候的人们,沉浸在以太坊 NFT 的热潮之中,无人知晓这将是 BTC 最「造富」的一次升级。
Taproot 与 Segwit 升级一起为 BTC 网络引入了新特性,也让区块数据间接扩容(相当于 1 MB 到 4 MB),成为了 2023 年至今 BTC 生态爆发的导火索。Taproot Assets、 Ordinals BRC-20、 ARC-20、 Runes 等新资产涌现,也让 Taproot 的转账采用率基本一直保持在一半甚至以上。
然而,新资产与新特性的引入也伴随着新的安全挑战。
比特币生态有着与以太坊生态不一样的底层模型。目前 BTC 新资产生态这种「好多东西都有待建设」和「理解门槛偏高」的场面,相信让很多用户都感到兴奋——毕竟这往往意味着「暴富」的机会。
但这也会对用户的安全操作意识提出了新的要求,否则很容易不明不白地就丢币。甚至还出现了如之前 Atomic 市场错误使用签名类型导致黑客攻击的事故。
下文 OneKey 深入浅出告诉大家如何在安全基础设施有限的 BTC 生态,最大程度保护资产安全,预防钓鱼。
Taproot 升级的具体影响简析
在讲述具体的防钓鱼措施之前,我们需要铺垫下 Taproot 升级的影响。
除了此前提到间接促进了 BTC 多资产生态的繁荣之外,在 BTC 交易底层其实也发生了很大的变化,主要是两个:Schnorr 签名和 MAST 技术。而这两者结合 PSBT (部分签名交易)之后,便让黑客钓鱼的发挥空间更多了。
一个是 Schnorr 签名。没错,这次升级把白皮书里的 ECDSA 签名换掉了。这个签名的技术特性是多个签名或者公钥聚合为一个。以往需要多个签名一次次确认的工作,现在只需要验证一次,直接缩小了签名的占用空间。
一个是 MAST 技术。如果说前者是聚合签名,那么 MAST 就是用来「聚合」多个脚本(对于脚本,你可以理解为比特币的有限「智能合约」)。同时,提交验证解锁花费的时候,也只需要验证花费条件其中的一个。很多条件的复杂的脚本的占用空间可以大大缩小。
这两个技术对隐私性的影响是最大的,同时也隐含了安全风险的空间。
对于转账记录,升级后所有的 UTXO 转账看起来都一样。在 Mempool 里面转账类型都显示为 P2TR ,地址都是 bc1p 开头相同长度的地址。
在以前,你可以很轻松区分转账到普通地址(P2PKH / P2WPKH)和转账到脚本地址(P2SH / P2WSH)的区别。
现在观察其他人花费掉一个 UTXO 之前,你根本无法分辨转账到普通地址与转账到脚本地址的区别。
对于脚本,矿工验证也只需要暴露脚本的一个花费条件,其他的分支脚本,外界不得而知。
预防比特币生态新资产钓鱼的 5 个心术
显然,目前 BTC 一层的资产生态的安全基础设施远没有以太坊强大,有许多东西需要用户先行理解学习。
同时,钓鱼的原理也和以太坊不太一样,很多钓鱼攻击在被发现之前可能整个市场都不太了解。例如 Atomic 市场的*SIGNHASH_NONE 签名安全事故,Unisat / Xverse 钱包也是后来才加入的安全提醒。
(1)第一个心术:老生常谈的加密安全基本功。
也就是注意私钥离线储存安全、注意是否为信任的网址和注意保护电脑不要中招木马病毒等等。
可是,在 FOMO 的市场中,新项目可能尚未形成信任共识就会有用户想要去「冲」,这时候接下来的几个心术就尤为重要。
(2)第二个心术:明确输入输出。
以太坊有「盲签名」。也就是说在签名的时候,如果钱包不解析,你只能看到一段乱七八糟的字符,无法预知签名之后资产会发生什么变化。这也就造成了丢币的风险。
而在比特币中,一定会明确一个交易的输入和输出,以及输入输出的对应的转账地址。(也就是:「从哪来,来了多少币」和「到哪里去,去了多少币」。)
签名的时候,不论是否使用 PSBT,交易前后会发生的变化,是一定会明确地显示在钱包中。所以核对输入输出是否符合自己的意图预期,非常重要。
例如假如黑客想要一次性钓走你的所有 Ordinals 铭文 NFT,在交易的输入(INPUT)中,一定会显示你的所有铭文 NFT 都被放进去了。同时输出(OUTPUT)中会显示他们都去到了陌生的地址里。
以使用 Unisat 在 MagicEden 挂单 Ordinals 铭文 NFT 为例子。当你在 MagiEden 市场挂单一个或者多个铭文 NFT 时,弹出的 PSBT 签名请求会显示交易的输入(INPUT)是你的某一个铭文或者多个铭文,输出则会显示,一旦交易成功,你会收到多少的比特币。
(3)第三个心术:签名类型要小心。
你可以在这里看到比特币目前的签名类型的科普(https://btcstudy.org/2021/11/09/bitcoin-signature-types-sighash/)。
这里面唯一需要注意的签名类型就是 SIGHASH_NONE(0x02)和 SIGHASH_NONE | SIGHASH_ANYONECANPAY(0x82)。这两个都意味着你「只对交易的输入签名,不管交易的输出」。
对于交易铭文资产而言,安全的签名类型应该是SIGHASH_SINGLE | SIGHASH_ANYONECANPAY(0x83),能够通过 PSBT 免信任构造一个完整的交易。这也是 MagicEden、OKX 等主流铭文交易市场使用的签名类型。
以 Atomic 市场之前错误使用 SIGHASH_NONE | SIGHASH_ANYONECANPAY(0x82) 签名为例。
当你挂单 Atom 铭文资产的时候,你在签名的时候确实看到了正确的输入和输出,即「规定了我挂单的资产在输入里,输出也有我能收到的钱」。
但是,黑客完全可以拿到这个 PSBT 修改输出,提交的交易也会被矿工打包,最终让你收不到挂单的钱。总之是因为使用的签名类型只对输入部分签名,最终导致「零元购」。
好在,目前主流的 BTC 生态钱包,比如 Unisat 和 Xverse,已经都支持了高亮提醒或者禁止 SIGHASH_NONE 类的签名类型。如果看到了相关的签名类型的提示,在非特殊用途的情况下,不要使用这种签名。
(4)第四个心术:使用脚本要小心。
假如某个项目或者平台,需要你转账资产到某个脚本地址,你要格外小心。在签名的时候,你会看到你的资产在输出中去到了一个陌生的地址。
根据此前的内容你会知道,Taproot 升级后,脚本地址和用户私钥地址是一样的。
假如盗窃者试图用私钥地址欺骗,收到的资产是可以直接转走的。
假如是真的脚本地址。那要看他们是否公开了脚本地址的全部内容。假如是公布不完整的内容,尽管在使用的时候用户可以正常地签名操作转移资产,也有可能隐藏了一个或者多个的恶意 UTXO 解锁条件。可能会在未来某一天突然「收网」转走全部的 UTXO 资产。
即使他们开源了整个脚本的内容,目前市面上的钱包也并没有验证脚本 MAST 完整性和输出地址的对应性的功能,需要懂技术的用户自行使用 Taproot 的算法确认。或者十分信任这个项目和团队。
好在对于目前的应用,各种铭文资产的交易都不需要使用复杂的脚本,使用 PSBT(部分签名交易)来规定好输入和输出即可。
但是在未来的 BTC L2 操作中,大概率会涉及到复杂多条件的比特币脚本。例如 Babylon @babylon_chain 的比特币质押脚本中,就有相对复杂一些的罚没逻辑和解锁逻辑。
假如你要使用这种比特币脚本的原生质押方式,此时开源脚本并验证安全性、完整性就尤为重要,否则就需要用户绝对信任项目方。
(5)第五个心术:关注安全动态,注意防患于未然。
关注安全领域的头部账号,保证自己能跟上最新钓鱼手法,第一时间获得警告。诸如 SlowMist 的余弦 @evilcos 、Go Plus 安全官方 @GoPlusSecurity 、Scam Sniffer @realScamSniffer 、我们 OneKey 官方账号 @OneKeyCN 。
关于防患于未然,我们可以迁移其他地方的安全经验。
例如,在以太坊中,有这样一种钓鱼方式——即构造头尾相似的地址,导致用户在历史记录中错误复制而丢失资产。而在构造 BTC 签名交易的时候,也有可能因为没有清楚地检查输出的地址而踩到坑。
在 Unisat / Xverse 等主流 BTC 生态钱包中,Taproot 地址展示为 bc1px…e9wh0 (例),而 bc1p 为 Taproot 地址的固定开头。
这相当于只展示了 6 个字母为用于确认。相对有常用地址通讯录功能、基本都展示 10 位以上的以太坊的钱包标配,显然还不够。
这意味着黑客有不小的可能,去通过生成匹配的地址进行定制化钓鱼(尽管目前在比特币上还不多)。
所以如果做的绝一些,防患于未然,应要核对尽可能完整的地址。
总之......
Study Bitcoin.
Study Bitcoin Security.
随着 Taproot 为比特币引入新资产新场景,我们也必须学习新形式的安全威胁,尤其是不断演化的钓鱼技术。
尤其是现在生态基础设施不完善的情况,即使是误操作丢币、烧币都时有发生,更别说精心策划的钓鱼了。
At that time, people were immersed in the upsurge of Ethereum, and no one knew that it would be the most wealth-making upgrade. Together with the upgrade, it introduced new features to the network and indirectly expanded the block data, which was equivalent to the emergence of new assets such as the fuse of ecological explosion from year to date, and kept the transfer adoption rate basically at half or even above. However, the introduction of new assets and new features was accompanied by new security challenges. At present, the new asset ecology, which is different from the Ethereum ecology, has many things to be built and understood. I believe that many users are excited. After all, this often means the opportunity to get rich, but it also puts forward new requirements for users' awareness of safe operation. Otherwise, it is easy to lose money inexplicably, and even there have been accidents such as hackers' attacks caused by the misuse of signature types in the market. A brief analysis of the specific impact of ecological maximum protection of asset security and prevention of phishing escalation. Before talking about specific anti-phishing measures, we need to pave the way for the impact of escalation. In addition to indirectly promoting the prosperity of multi-asset ecology as mentioned earlier, the bottom of the transaction has actually undergone great changes, mainly two signatures and technologies. After the combination of these two signatures, hackers will have more room to play phishing. One is the signature. This upgrade has replaced the signature in the white paper. The technical feature of is that multiple signatures or public keys are aggregated into a work that used to require multiple signatures to be confirmed again and again. Now, it only needs to be verified once, which directly reduces the occupied space of signatures. One is technology. If the former is an aggregated signature, it is used to aggregate multiple scripts. For scripts, you can understand it as a limited intelligent contract of Bitcoin. At the same time, when submitting verification and unlocking costs, you only need to verify the spending conditions, and the occupied space of complex scripts with many conditions can be greatly reduced. These two technologies have the greatest impact on privacy, and at the same time, they also imply the space of security risks. After the transfer record is upgraded, all transfers look the same. In it, the transfer types are all displayed as addresses with the same length at the beginning. In the past, you can easily distinguish the difference between transferring to an ordinary address and transferring to a script address. Now, you can't tell the difference between transferring to an ordinary address and transferring to a script address before observing others spend one. It is also true for script miners to verify. It is only necessary to expose a spending condition of the script, and other branch scripts are unknown to the outside world. Obviously, the security infrastructure of the asset ecology on the first floor is far less powerful than that of Ethereum. There are many things that users need to understand and learn first, and the principle of fishing is not the same as that of Ethereum. Many phishing attacks may not be well understood by the whole market before they are discovered. For example, the signature of the market, the wallet is also the first security reminder that was added later. The old-fashioned basic skills of encryption security are to pay attention to the security of private key offline storage, whether it is a trusted website or not, and to protect computers from Trojan viruses, etc. However, in the new market, new projects may not have reached a consensus of trust, and users will want to rush. At this time, the next few tricks are particularly important. The second trick is to clearly input and output. Ethereum has a blind signature, which means that if the wallet is not parsed, you can only see a messy character that cannot be predicted. Knowing what will happen to the assets after signing, this will also cause the risk of losing coins. In Bitcoin, the input and output of a transaction and the corresponding transfer address of the input and output will be clearly defined, that is, where many coins have come from and where they have gone. When signing, the changes that will happen before and after the transaction will be clearly displayed in the wallet, so it is very important to check whether the input and output meet their own intentions and expectations. For example, if a hacker wants to fish away at one time. All your inscriptions will show in the input of the transaction that all your inscriptions have been put in, and the output will show that they have all gone to strange addresses. Take the inscription on the pending list as an example. When you hang one or more inscriptions in the market, the pop-up signature request will show that the input of the transaction is one of your inscriptions or multiple inscriptions, and the output will show how much bitcoin you will receive once the transaction is successful. Be careful. You can see bitcoin here. The current signature type of popular science, the only signature type that needs attention is and both of which mean that you only sign the input of the transaction, regardless of the output of the transaction. The safe signature type for the transaction inscription assets should be the one that can construct a complete transaction without trust, which is also the signature type used by the mainstream inscription trading market. Take the misuse of the signature before the market as an example. When you sign the inscription assets, you really see the correct input and output, that is. It is stipulated that I can also receive money from the input of the pending assets, but hackers can completely get this modification and the transactions submitted by the output will also be packaged by miners, which will eventually make you unable to receive the pending money. In short, it is because the signature type used only signs the input part, which eventually leads to the purchase of zero yuan. At present, mainstream eco-wallets, such as and, have supported highlighted reminders or prohibited signature types. If you see the relevant signature types, don't use them for non-special purposes. The fourth trick of using this signature is to be careful when using scripts. If a project or platform needs you to transfer assets to a script address, you should be extra careful. When signing, you will see that your assets went to a strange address in the output. According to the previous content, you will know that the upgraded script address is the same as the user's private key address. If thieves try to cheat the received assets with the private key address, they can directly transfer them away. If it is a real script address, it depends on whether they disclose their feet. If the whole content of this address is published incompletely, although users can sign and transfer assets normally when using it, one or more malicious unlocking conditions may be hidden, and all assets may be suddenly closed one day in the future. Even if they open the whole script, the wallet on the market at present does not have the function of verifying the integrity of the script and the correspondence of the output address, which requires users who know the technology to confirm or trust this project and team with their own algorithms. Fortunately, there is no need to use complex scripts for the current application of various inscription assets transactions. 比特币今日价格行情网_okx交易所app_永续合约_比特币怎么买卖交易_虚拟币交易所平台
注册有任何问题请添加 微信:MVIP619 拉你进入群
打开微信扫一扫
添加客服
进入交流群
1.本站遵循行业规范,任何转载的稿件都会明确标注作者和来源;2.本站的原创文章,请转载时务必注明文章作者和来源,不尊重原创的行为我们将追究责任;3.作者投稿可能会经我们编辑修改或补充。
